alpine 3.6
access weakness #198


Weakness Breakdown


An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 	int iMainMsgQDeqSlowdown;	/* dequeue slowdown (simple rate limiting) */
	int64 iMainMsgQueMaxDiskSpace;	/* max disk space allocated 0 ==> unlimited */
	int64 iMainMsgQueDeqBatchSize;	/* dequeue batch size */
	int bMainMsgQSaveOnShutdown;	/* save queue on shutdown (when DA enabled)? */
	int iMainMsgQueueDeqtWinFromHr;	/* hour begin of time frame when queue is to be dequeued */
	int iMainMsgQueueDeqtWinToHr;	/* hour begin of time frame when queue is to be dequeued */

/* globals are data items that are really global, and can be set only
 * once (at least in theory, because the legacy system permits them to 
 * be re-set as often as the user likes).
struct globals_s {
	int bDebugPrintTemplateList;
	int bDebugPrintModuleList;
	int bDebugPrintCfSysLineHandlerList;
	int bLogStatusMsgs;	/* log rsyslog start/stop/HUP messages? */
	int bErrMsgToStderr;	/* print error messages to stderr
				  (in addition to everything else)? */
	int bAbortOnUncleanConfig; /* abort run (rather than starting with partial
				      config) if there was any issue in conf */
	int uidDropPriv;	/* user-id to which priveleges should be dropped to */
	int gidDropPriv;	/* group-id to which priveleges should be dropped to */
	int gidDropPrivKeepSupplemental; /* keep supplemental groups when dropping? */
	int umask;		/* umask to use */
	uchar *pszConfDAGFile;	/* name of config DAG file, non-NULL means generate one */

	// TODO are the following ones defaults?
	int bReduceRepeatMsgs; /* reduce repeated message - 0 - no, 1 - yes */

	//TODO: other representation for main queue? Or just load it differently?
	queuecnf_t mainQ;	/* main queue parameters */

/* (global) defaults are global in the sense that they are accessible
 * to all code, but they can change value and other objects (like
 * actions) actually copy the value a global had at the time the action
 * was defined. In that sense, a global default is just that, a default,
 * wich can (and will) be changed in the course of config file
 * processing. Once the config file has been processed, defaults
 * can be dropped. The current code does not do this for simplicity.
 * That is not a problem, because the defaults do not take up much memory.
 * At a later stage, we may think about dropping them. -- rgerhards, 2011-04-19
struct defaults_s {

/* list of modules loaded in this configuration (config specific module list) */
struct cfgmodules_etry_s { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.